Package: guix-patches;
Reported by: Maxim Cournoyer <maxim.cournoyer <at> gmail.com>
Date: Wed, 19 Mar 2025 07:17:02 UTC
Severity: normal
Tags: patch
Done: Maxim Cournoyer <maxim.cournoyer <at> gmail.com>
Bug is archived. No further changes may be made.
To add a comment to this bug, you must first unarchive it, by sending
a message to control AT debbugs.gnu.org, with unarchive 77110 in the body.
You can then email your comments to 77110 AT debbugs.gnu.org in the normal way.
Toggle the display of automated, internal messages from the tracker.
View this report as an mbox folder, status mbox, maintainer mbox
ludo <at> gnu.org, maxim.cournoyer <at> gmail.com, guix-patches <at> gnu.org:bug#77110; Package guix-patches.
(Wed, 19 Mar 2025 07:17:02 GMT) Full text and rfc822 format available.Maxim Cournoyer <maxim.cournoyer <at> gmail.com>:ludo <at> gnu.org, maxim.cournoyer <at> gmail.com, guix-patches <at> gnu.org.
(Wed, 19 Mar 2025 07:17:02 GMT) Full text and rfc822 format available.Message #5 received at submit <at> debbugs.gnu.org (full text, mbox):
From: Maxim Cournoyer <maxim.cournoyer <at> gmail.com> To: guix-patches <at> gnu.org Cc: Maxim Cournoyer <maxim.cournoyer <at> gmail.com> Subject: [PATCH 0/2] Add UEFI firmware support in libvirt. Date: Wed, 19 Mar 2025 16:15:31 +0900
Previously, our availabe UEFI firmware would not be detected by libvirt, even when it was added to the system profile. This change fixes that, and enables customizing which firmwares are exposed to the QEMU backend of libvirt. Maxim Cournoyer (2): gnu: ovmf-x86-64: Install QEMU firmware metadata file. services: libvirt: Add UEFI firmware support. Makefile.am | 1 + doc/guix.texi | 506 +++++------------- .../ovmf/51-edk2-ovmf-2m-raw-x64-nosb.json | 36 ++ gnu/packages/firmware.scm | 24 +- gnu/services/virtualization.scm | 76 ++- gnu/tests/virtualization.scm | 33 +- 6 files changed, 271 insertions(+), 405 deletions(-) create mode 100644 gnu/packages/aux-files/ovmf/51-edk2-ovmf-2m-raw-x64-nosb.json base-commit: fa39695bbc0c5f79838cbca55d55eebd821a8efa -- 2.48.1
efraim <at> flashner.co.il, vagrant <at> debian.org, guix-patches <at> gnu.org:bug#77110; Package guix-patches.
(Wed, 19 Mar 2025 12:47:02 GMT) Full text and rfc822 format available.Message #8 received at 77110 <at> debbugs.gnu.org (full text, mbox):
From: Maxim Cournoyer <maxim.cournoyer <at> gmail.com> To: 77110 <at> debbugs.gnu.org Cc: Maxim Cournoyer <maxim.cournoyer <at> gmail.com> Subject: [PATCH 1/2] gnu: ovmf-x86-64: Install QEMU firmware metadata file. Date: Wed, 19 Mar 2025 21:45:12 +0900
* gnu/packages/firmware.scm (ovmf-x86-64)
[phases] {install-qemu-firmware-metadata}: New phase.
(ovmf-aux-file): New procedure.
* gnu/packages/aux-files/ovmf/51-edk2-ovmf-2m-raw-x64-nosb.json: New file.
* Makefile.am (AUX_FILES): Register it.
Change-Id: I301eac8b79aed523f3b4cdedb7b3925d8fd0ad3d
---
Makefile.am | 1 +
.../ovmf/51-edk2-ovmf-2m-raw-x64-nosb.json | 36 +++++++++++++++++++
gnu/packages/firmware.scm | 24 ++++++++++++-
3 files changed, 60 insertions(+), 1 deletion(-)
create mode 100644 gnu/packages/aux-files/ovmf/51-edk2-ovmf-2m-raw-x64-nosb.json
diff --git a/Makefile.am b/Makefile.am
index c668b96a37..f2f4a9643e 100644
--- a/Makefile.am
+++ b/Makefile.am
@@ -472,6 +472,7 @@ AUX_FILES = \
gnu/packages/aux-files/linux-libre/5.4-arm64.conf \
gnu/packages/aux-files/linux-libre/5.4-i686.conf \
gnu/packages/aux-files/linux-libre/5.4-x86_64.conf \
+ gnu/packages/aux-files/ovmf/51-edk2-ovmf-2m-raw-x64-nosb.json \
gnu/packages/aux-files/pack-audit.c \
gnu/packages/aux-files/python/sanity-check.py \
gnu/packages/aux-files/python/sitecustomize.py \
diff --git a/gnu/packages/aux-files/ovmf/51-edk2-ovmf-2m-raw-x64-nosb.json b/gnu/packages/aux-files/ovmf/51-edk2-ovmf-2m-raw-x64-nosb.json
new file mode 100644
index 0000000000..050853e2b8
--- /dev/null
+++ b/gnu/packages/aux-files/ovmf/51-edk2-ovmf-2m-raw-x64-nosb.json
@@ -0,0 +1,36 @@
+{
+ "description": "OVMF without SB+SMM, empty varstore",
+ "interface-types": [
+ "uefi"
+ ],
+ "mapping": {
+ "device": "flash",
+ "mode" : "split",
+ "executable": {
+ "filename": "/usr/share/edk2/ovmf/OVMF_CODE.fd",
+ "format": "raw"
+ },
+ "nvram-template": {
+ "filename": "/usr/share/edk2/ovmf/OVMF_VARS.fd",
+ "format": "raw"
+ }
+ },
+ "targets": [
+ {
+ "architecture": "x86_64",
+ "machines": [
+ "pc-i440fx-*",
+ "pc-q35-*"
+ ]
+ }
+ ],
+ "features": [
+ "acpi-s3",
+ "amd-sev",
+ "amd-sev-es",
+ "verbose-dynamic"
+ ],
+ "tags": [
+
+ ]
+}
diff --git a/gnu/packages/firmware.scm b/gnu/packages/firmware.scm
index 63f767f72b..c1d8ba3719 100644
--- a/gnu/packages/firmware.scm
+++ b/gnu/packages/firmware.scm
@@ -1001,6 +1001,10 @@ (define* (make-ovmf-firmware arch)
(license (list license:expat
license:bsd-2 license:bsd-3 license:bsd-4)))))
+(define (ovmf-aux-file name)
+ "Return as a gexp the auxiliary OVMF file corresponding to NAME."
+ (local-file (search-auxiliary-file (string-append "ovmf/" name))))
+
(define-public ovmf-x86-64
(let ((base (make-ovmf-firmware "x86_64")))
(package
@@ -1022,7 +1026,25 @@ (define-public ovmf-x86-64
(string-append fmw "/" (string-downcase file) "_x64.bin")))
(list "OVMF"
"OVMF_CODE"
- "OVMF_VARS"))))))))))))
+ "OVMF_VARS")))))
+ (add-after 'install 'install-qemu-firmware-metadata
+ (lambda _
+ ;; The QEMU firmware metadata files are taken from the
+ ;; Fedora project (see:
+ ;; https://src.fedoraproject.org/rpms/edk2/tree/rawhide).
+ (let ((51-edk2-ovmf-2m-raw-x64-nosb.json-source
+ #$(ovmf-aux-file "51-edk2-ovmf-2m-raw-x64-nosb.json"))
+ (51-edk2-ovmf-2m-raw-x64-nosb.json-dest
+ (string-append #$output "/share/qemu/firmware/"
+ "51-edk2-ovmf-2m-raw-x64-nosb.json")))
+ (mkdir-p (dirname 51-edk2-ovmf-2m-raw-x64-nosb.json-dest))
+ (copy-file 51-edk2-ovmf-2m-raw-x64-nosb.json-source
+ 51-edk2-ovmf-2m-raw-x64-nosb.json-dest)
+ (substitute* 51-edk2-ovmf-2m-raw-x64-nosb.json-dest
+ (("/usr/share/edk2/ovmf/OVMF_(CODE|VARS).fd" _ kind)
+ (string-append
+ #$output "/share/firmware/ovmf_"
+ (string-downcase kind) "_x64.bin")))))))))))))
(define-public ovmf-i686
(let ((base (make-ovmf-firmware "i686")))
base-commit: fa39695bbc0c5f79838cbca55d55eebd821a8efa
--
2.48.1
ludo <at> gnu.org, maxim.cournoyer <at> gmail.com, guix-patches <at> gnu.org:bug#77110; Package guix-patches.
(Wed, 19 Mar 2025 12:47:02 GMT) Full text and rfc822 format available.Message #11 received at 77110 <at> debbugs.gnu.org (full text, mbox):
From: Maxim Cournoyer <maxim.cournoyer <at> gmail.com> To: 77110 <at> debbugs.gnu.org Cc: Maxim Cournoyer <maxim.cournoyer <at> gmail.com> Subject: [PATCH 2/2] services: libvirt: Add UEFI firmware support. Date: Wed, 19 Mar 2025 21:45:13 +0900
This makes libvirt able to boot images that require a UEFI bootloader, with
the available firmwares exposed to libvirt made configurable via a new
configuration field. For more background on the problem this fixes, see the
same issue that was reported in NixOS (see:
https://github.com/NixOS/nixpkgs/issues/115996).
* gnu/services/virtualization.scm: (list-of-file-likes?): New predicate.
(libvirt-configuration): [firmwares]: New field.
(/etc/qemu/firmware): New procedure.
(libvirt-service-type): Extend the etc-service-type with it.
(generate-libvirt-documentation): Delete obsolete procedure.
* doc/guix.texi: Re-generate doc.
* gnu/tests/virtualization.scm (run-libvirt-test): Augment memory from 256 to
512 MiB. Test it.
Change-Id: I40694964405f13681520bf1e28b7365b0200d8f7
---
doc/guix.texi | 506 ++++++++------------------------
gnu/services/virtualization.scm | 76 +++--
gnu/tests/virtualization.scm | 33 ++-
3 files changed, 211 insertions(+), 404 deletions(-)
diff --git a/doc/guix.texi b/doc/guix.texi
index 0488559332..e36fbad19f 100644
--- a/doc/guix.texi
+++ b/doc/guix.texi
@@ -37895,406 +37895,220 @@ Virtualization Services
@end lisp
@end defvar
-@c Auto-generated with (generate-libvirt-documentation)
+@c Auto-generated with (configuration->documentation 'libvirt-configuration)
+@c %start of fragment
+@deftp {Data Type} libvirt-configuration
Available @code{libvirt-configuration} fields are:
-@deftypevr {@code{libvirt-configuration} parameter} package libvirt
+@table @asis
+@item @code{libvirt} (default: @code{libvirt}) (type: file-like)
Libvirt package.
-@end deftypevr
-
-@deftypevr {@code{libvirt-configuration} parameter} boolean listen-tls?
-Flag listening for secure TLS connections on the public TCP/IP port.
-You must set @code{listen} for this to have any effect.
-
-It is necessary to setup a CA and issue server certificates before using
-this capability.
-
-Defaults to @samp{#t}.
-
-@end deftypevr
-
-@deftypevr {@code{libvirt-configuration} parameter} boolean listen-tcp?
-Listen for unencrypted TCP connections on the public TCP/IP port. You must
-set @code{listen} for this to have any effect.
-
-Using the TCP socket requires SASL authentication by default. Only SASL
-mechanisms which support data encryption are allowed. This is
-DIGEST_MD5 and GSSAPI (Kerberos5).
-
-Defaults to @samp{#f}.
-
-@end deftypevr
-
-@deftypevr {@code{libvirt-configuration} parameter} string tls-port
-Port for accepting secure TLS connections. This can be a port number,
-or service name.
+@item @code{qemu} (default: @code{qemu}) (type: file-like)
+Qemu package.
-Defaults to @samp{"16514"}.
+@item @code{firmwares} (default: @code{(ovmf-x86-64)}) (type: list-of-file-likes)
+List of UEFI/BIOS firmware packages to make available. Each firmware
+package should contain a @file{share/qemu/firmware/@var{NAME}.json} QEMU
+firmware metadata file.
-@end deftypevr
+@item @code{listen-tls?} (default: @code{#t}) (type: boolean)
+Flag listening for secure TLS connections on the public TCP/IP port.
+must set @code{listen} for this to have any effect. It is necessary to
+setup a CA and issue server certificates before using this capability.
-@deftypevr {@code{libvirt-configuration} parameter} string tcp-port
-Port for accepting insecure TCP connections. This can be a port number,
-or service name.
+@item @code{listen-tcp?} (default: @code{#f}) (type: boolean)
+Listen for unencrypted TCP connections on the public TCP/IP port. must
+set @code{listen} for this to have any effect. Using the TCP socket
+requires SASL authentication by default. Only SASL mechanisms which
+support data encryption are allowed. This is DIGEST_MD5 and GSSAPI
+(Kerberos5)
-Defaults to @samp{"16509"}.
+@item @code{tls-port} (default: @code{"16514"}) (type: string)
+Port for accepting secure TLS connections This can be a port number, or
+service name
-@end deftypevr
+@item @code{tcp-port} (default: @code{"16509"}) (type: string)
+Port for accepting insecure TCP connections This can be a port number,
+or service name
-@deftypevr {@code{libvirt-configuration} parameter} string listen-addr
+@item @code{listen-addr} (default: @code{"0.0.0.0"}) (type: string)
IP address or hostname used for client connections.
-Defaults to @samp{"0.0.0.0"}.
-
-@end deftypevr
-
-@deftypevr {@code{libvirt-configuration} parameter} boolean mdns-adv?
-Flag toggling mDNS advertisement of the libvirt service.
-
-Alternatively can disable for all services on a host by stopping the
-Avahi daemon.
+@item @code{mdns-adv?} (default: @code{#f}) (type: boolean)
+Flag toggling mDNS advertisement of the libvirt service. Alternatively
+can disable for all services on a host by stopping the Avahi daemon.
-Defaults to @samp{#f}.
-
-@end deftypevr
-
-@deftypevr {@code{libvirt-configuration} parameter} string mdns-name
+@item @code{mdns-name} (default: @code{"Virtualization Host terra"}) (type: string)
Default mDNS advertisement name. This must be unique on the immediate
broadcast network.
-Defaults to @samp{"Virtualization Host <hostname>"}.
-
-@end deftypevr
-
-@deftypevr {@code{libvirt-configuration} parameter} string unix-sock-group
+@item @code{unix-sock-group} (default: @code{"libvirt"}) (type: string)
UNIX domain socket group ownership. This can be used to allow a
'trusted' set of users access to management capabilities without
becoming root.
-Defaults to @samp{"libvirt"}.
-
-@end deftypevr
-
-@deftypevr {@code{libvirt-configuration} parameter} string unix-sock-ro-perms
+@item @code{unix-sock-ro-perms} (default: @code{"0777"}) (type: string)
UNIX socket permissions for the R/O socket. This is used for monitoring
VM status only.
-Defaults to @samp{"0777"}.
-
-@end deftypevr
-
-@deftypevr {@code{libvirt-configuration} parameter} string unix-sock-rw-perms
+@item @code{unix-sock-rw-perms} (default: @code{"0770"}) (type: string)
UNIX socket permissions for the R/W socket. Default allows only root.
If PolicyKit is enabled on the socket, the default will change to allow
everyone (eg, 0777)
-Defaults to @samp{"0770"}.
-
-@end deftypevr
-
-@deftypevr {@code{libvirt-configuration} parameter} string unix-sock-admin-perms
+@item @code{unix-sock-admin-perms} (default: @code{"0777"}) (type: string)
UNIX socket permissions for the admin socket. Default allows only owner
(root), do not change it unless you are sure to whom you are exposing
the access to.
-Defaults to @samp{"0777"}.
-
-@end deftypevr
-
-@deftypevr {@code{libvirt-configuration} parameter} string unix-sock-dir
+@item @code{unix-sock-dir} (default: @code{"/var/run/libvirt"}) (type: string)
The directory in which sockets will be found/created.
-Defaults to @samp{"/var/run/libvirt"}.
-
-@end deftypevr
-
-@deftypevr {@code{libvirt-configuration} parameter} string auth-unix-ro
+@item @code{auth-unix-ro} (default: @code{"polkit"}) (type: string)
Authentication scheme for UNIX read-only sockets. By default socket
permissions allow anyone to connect
-Defaults to @samp{"polkit"}.
-
-@end deftypevr
-
-@deftypevr {@code{libvirt-configuration} parameter} string auth-unix-rw
+@item @code{auth-unix-rw} (default: @code{"polkit"}) (type: string)
Authentication scheme for UNIX read-write sockets. By default socket
permissions only allow root. If PolicyKit support was compiled into
libvirt, the default will be to use 'polkit' auth.
-Defaults to @samp{"polkit"}.
-
-@end deftypevr
-
-@deftypevr {@code{libvirt-configuration} parameter} string auth-tcp
+@item @code{auth-tcp} (default: @code{"sasl"}) (type: string)
Authentication scheme for TCP sockets. If you don't enable SASL, then
all TCP traffic is cleartext. Don't do this outside of a dev/test
scenario.
-Defaults to @samp{"sasl"}.
-
-@end deftypevr
-
-@deftypevr {@code{libvirt-configuration} parameter} string auth-tls
+@item @code{auth-tls} (default: @code{"none"}) (type: string)
Authentication scheme for TLS sockets. TLS sockets already have
encryption provided by the TLS layer, and limited authentication is done
-by certificates.
-
-It is possible to make use of any SASL authentication mechanism as well,
-by using 'sasl' for this option
+by certificates. It is possible to make use of any SASL authentication
+mechanism as well, by using 'sasl' for this option
-Defaults to @samp{"none"}.
-
-@end deftypevr
-
-@deftypevr {@code{libvirt-configuration} parameter} optional-list access-drivers
-API access control scheme.
-
-By default an authenticated user is allowed access to all APIs. Access
-drivers can place restrictions on this.
-
-Defaults to @samp{'()}.
-
-@end deftypevr
+@item @code{access-drivers} (default: @code{()}) (type: optional-list)
+API access control scheme. By default an authenticated user is allowed
+access to all APIs. Access drivers can place restrictions on this.
-@deftypevr {@code{libvirt-configuration} parameter} string key-file
+@item @code{key-file} (default: @code{""}) (type: string)
Server key file path. If set to an empty string, then no private key is
loaded.
-Defaults to @samp{""}.
-
-@end deftypevr
-
-@deftypevr {@code{libvirt-configuration} parameter} string cert-file
+@item @code{cert-file} (default: @code{""}) (type: string)
Server key file path. If set to an empty string, then no certificate is
loaded.
-Defaults to @samp{""}.
-
-@end deftypevr
-
-@deftypevr {@code{libvirt-configuration} parameter} string ca-file
+@item @code{ca-file} (default: @code{""}) (type: string)
Server key file path. If set to an empty string, then no CA certificate
is loaded.
-Defaults to @samp{""}.
-
-@end deftypevr
-
-@deftypevr {@code{libvirt-configuration} parameter} string crl-file
+@item @code{crl-file} (default: @code{""}) (type: string)
Certificate revocation list path. If set to an empty string, then no
CRL is loaded.
-Defaults to @samp{""}.
-
-@end deftypevr
-
-@deftypevr {@code{libvirt-configuration} parameter} boolean tls-no-sanity-cert
-Disable verification of our own server certificates.
+@item @code{tls-no-sanity-cert} (default: @code{#f}) (type: boolean)
+Disable verification of our own server certificates. When libvirtd
+starts it performs some sanity checks against its own certificates.
-When libvirtd starts it performs some sanity checks against its own
-certificates.
+@item @code{tls-no-verify-cert} (default: @code{#f}) (type: boolean)
+Disable verification of client certificates. Client certificate
+verification is the primary authentication mechanism. Any client which
+does not present a certificate signed by the CA will be rejected.
-Defaults to @samp{#f}.
-
-@end deftypevr
-
-@deftypevr {@code{libvirt-configuration} parameter} boolean tls-no-verify-cert
-Disable verification of client certificates.
-
-Client certificate verification is the primary authentication mechanism.
-Any client which does not present a certificate signed by the CA will be
-rejected.
-
-Defaults to @samp{#f}.
-
-@end deftypevr
-
-@deftypevr {@code{libvirt-configuration} parameter} optional-list tls-allowed-dn-list
+@item @code{tls-allowed-dn-list} (default: @code{()}) (type: optional-list)
Whitelist of allowed x509 Distinguished Name.
-Defaults to @samp{'()}.
-
-@end deftypevr
-
-@deftypevr {@code{libvirt-configuration} parameter} optional-list sasl-allowed-usernames
+@item @code{sasl-allowed-usernames} (default: @code{()}) (type: optional-list)
Whitelist of allowed SASL usernames. The format for username depends on
the SASL authentication mechanism.
-Defaults to @samp{'()}.
-
-@end deftypevr
-
-@deftypevr {@code{libvirt-configuration} parameter} string tls-priority
+@item @code{tls-priority} (default: @code{"NORMAL"}) (type: string)
Override the compile time default TLS priority string. The default is
-usually @samp{"NORMAL"} unless overridden at build time. Only set this is it
+usually "NORMAL" unless overridden at build time. Only set this is it
is desired for libvirt to deviate from the global default settings.
-Defaults to @samp{"NORMAL"}.
-
-@end deftypevr
-
-@deftypevr {@code{libvirt-configuration} parameter} integer max-clients
+@item @code{max-clients} (default: @code{5000}) (type: integer)
Maximum number of concurrent client connections to allow over all
sockets combined.
-Defaults to @samp{5000}.
-
-@end deftypevr
-
-@deftypevr {@code{libvirt-configuration} parameter} integer max-queued-clients
+@item @code{max-queued-clients} (default: @code{1000}) (type: integer)
Maximum length of queue of connections waiting to be accepted by the
daemon. Note, that some protocols supporting retransmission may obey
this so that a later reattempt at connection succeeds.
-Defaults to @samp{1000}.
-
-@end deftypevr
-
-@deftypevr {@code{libvirt-configuration} parameter} integer max-anonymous-clients
+@item @code{max-anonymous-clients} (default: @code{20}) (type: integer)
Maximum length of queue of accepted but not yet authenticated clients.
Set this to zero to turn this feature off
-Defaults to @samp{20}.
-
-@end deftypevr
-
-@deftypevr {@code{libvirt-configuration} parameter} integer min-workers
+@item @code{min-workers} (default: @code{5}) (type: integer)
Number of workers to start up initially.
-Defaults to @samp{5}.
-
-@end deftypevr
-
-@deftypevr {@code{libvirt-configuration} parameter} integer max-workers
-Maximum number of worker threads.
-
-If the number of active clients exceeds @code{min-workers}, then more
-threads are spawned, up to max_workers limit. Typically you'd want
-max_workers to equal maximum number of clients allowed.
-
-Defaults to @samp{20}.
-
-@end deftypevr
+@item @code{max-workers} (default: @code{20}) (type: integer)
+Maximum number of worker threads. If the number of active clients
+exceeds @code{min-workers}, then more threads are spawned, up to
+max_workers limit. Typically you'd want max_workers to equal maximum
+number of clients allowed.
-@deftypevr {@code{libvirt-configuration} parameter} integer prio-workers
+@item @code{prio-workers} (default: @code{5}) (type: integer)
Number of priority workers. If all workers from above pool are stuck,
some calls marked as high priority (notably domainDestroy) can be
executed in this pool.
-Defaults to @samp{5}.
-
-@end deftypevr
-
-@deftypevr {@code{libvirt-configuration} parameter} integer max-requests
+@item @code{max-requests} (default: @code{20}) (type: integer)
Total global limit on concurrent RPC calls.
-Defaults to @samp{20}.
-
-@end deftypevr
-
-@deftypevr {@code{libvirt-configuration} parameter} integer max-client-requests
+@item @code{max-client-requests} (default: @code{5}) (type: integer)
Limit on concurrent requests from a single client connection. To avoid
one client monopolizing the server this should be a small fraction of
the global max_requests and max_workers parameter.
-Defaults to @samp{5}.
-
-@end deftypevr
-
-@deftypevr {@code{libvirt-configuration} parameter} integer admin-min-workers
+@item @code{admin-min-workers} (default: @code{1}) (type: integer)
Same as @code{min-workers} but for the admin interface.
-Defaults to @samp{1}.
-
-@end deftypevr
-
-@deftypevr {@code{libvirt-configuration} parameter} integer admin-max-workers
+@item @code{admin-max-workers} (default: @code{5}) (type: integer)
Same as @code{max-workers} but for the admin interface.
-Defaults to @samp{5}.
-
-@end deftypevr
-
-@deftypevr {@code{libvirt-configuration} parameter} integer admin-max-clients
+@item @code{admin-max-clients} (default: @code{5}) (type: integer)
Same as @code{max-clients} but for the admin interface.
-Defaults to @samp{5}.
-
-@end deftypevr
-
-@deftypevr {@code{libvirt-configuration} parameter} integer admin-max-queued-clients
+@item @code{admin-max-queued-clients} (default: @code{5}) (type: integer)
Same as @code{max-queued-clients} but for the admin interface.
-Defaults to @samp{5}.
-
-@end deftypevr
-
-@deftypevr {@code{libvirt-configuration} parameter} integer admin-max-client-requests
+@item @code{admin-max-client-requests} (default: @code{5}) (type: integer)
Same as @code{max-client-requests} but for the admin interface.
-Defaults to @samp{5}.
-
-@end deftypevr
-
-@deftypevr {@code{libvirt-configuration} parameter} integer log-level
+@item @code{log-level} (default: @code{3}) (type: integer)
Logging level. 4 errors, 3 warnings, 2 information, 1 debug.
-Defaults to @samp{3}.
-
-@end deftypevr
-
-@deftypevr {@code{libvirt-configuration} parameter} string log-filters
-Logging filters.
-
-A filter allows to select a different logging level for a given category
-of logs. The format for a filter is one of:
+@item @code{log-filters} (default: @code{"3:remote 4:event"}) (type: string)
+Logging filters. A filter allows selecting a different logging level
+for a given category of logs The format for a filter is one of:
@itemize @bullet
-@item
-x:name
-
-@item
-x:+name
-
+@item x:name
+@item x:+name
@end itemize
where @code{name} is a string which is matched against the category
given in the @code{VIR_LOG_INIT()} at the top of each libvirt source
-file, e.g., @samp{"remote"}, @samp{"qemu"}, or @samp{"util.json"} (the
-name in the filter can be a substring of the full category name, in
-order to match multiple similar categories), the optional @samp{"+"}
-prefix tells libvirt to log stack trace for each message matching name,
-and @code{x} is the minimal level where matching messages should be
-logged:
+file, e.g., "remote", "qemu", or "util.json" (the name in the filter can
+be a substring of the full category name, in order to match multiple
+similar categories), the optional "+" prefix tells libvirt to log stack
+trace for each message matching name, and @code{x} is the minimal level
+where matching messages should be logged:
@itemize @bullet
-@item
-1: DEBUG
-
-@item
-2: INFO
-
-@item
-3: WARNING
-
-@item
-4: ERROR
-
+@item 1: DEBUG
+@item 2: INFO
+@item 3: WARNING
+@item 4: ERROR
@end itemize
Multiple filters can be defined in a single filters statement, they just
need to be separated by spaces.
-Defaults to @samp{"3:remote 4:event"}.
-
-@end deftypevr
-
-@deftypevr {@code{libvirt-configuration} parameter} string log-outputs
-Logging outputs.
-
-An output is one of the places to save logging information. The format
-for an output can be:
+@item @code{log-outputs} (default: @code{"3:syslog:libvirtd"}) (type: string)
+Logging outputs. An output is one of the places to save logging
+information The format for an output can be:
@table @code
@item x:stderr
@@ -38308,137 +38122,77 @@ Virtualization Services
@item x:journald
output to journald logging system
-
@end table
-In all case the x prefix is the minimal level, acting as a filter
+In all case the x prefix is the minimal level, acting as a
+filter
@itemize @bullet
-@item
-1: DEBUG
-
-@item
-2: INFO
-
-@item
-3: WARNING
-
-@item
-4: ERROR
-
+@item 1: DEBUG
+@item 2: INFO
+@item 3: WARNING
+@item 4: ERROR
@end itemize
Multiple outputs can be defined, they just need to be separated by
spaces.
-Defaults to @samp{"3:stderr"}.
-
-@end deftypevr
-
-@deftypevr {@code{libvirt-configuration} parameter} integer audit-level
+@item @code{audit-level} (default: @code{1}) (type: integer)
Allows usage of the auditing subsystem to be altered
@itemize @bullet
-@item
-0: disable all auditing
-
-@item
-1: enable auditing, only if enabled on host
-
-@item
-2: enable auditing, and exit if disabled on host.
-
+@item 0: disable all auditing
+@item 1: enable auditing, only if enabled on host
+@item 2: enable auditing, and exit if disabled on host.
@end itemize
-Defaults to @samp{1}.
-
-@end deftypevr
-
-@deftypevr {@code{libvirt-configuration} parameter} boolean audit-logging
+@item @code{audit-logging} (default: @code{#f}) (type: boolean)
Send audit messages via libvirt logging infrastructure.
-Defaults to @samp{#f}.
-
-@end deftypevr
-
-@deftypevr {@code{libvirt-configuration} parameter} optional-string host-uuid
-Host UUID@. UUID must not have all digits be the same.
-
-Defaults to @samp{""}.
-
-@end deftypevr
+@item @code{host-uuid} (default: @code{""}) (type: optional-string)
+Host UUID. UUID must not have all digits be the same.
-@deftypevr {@code{libvirt-configuration} parameter} string host-uuid-source
+@item @code{host-uuid-source} (default: @code{"smbios"}) (type: string)
Source to read host UUID.
@itemize @bullet
-@item
-@code{smbios}: fetch the UUID from @code{dmidecode -s system-uuid}
-
-@item
-@code{machine-id}: fetch the UUID from @code{/etc/machine-id}
-
+@item @code{smbios}: fetch the UUID from @code{dmidecode -s system-uuid}
+@item @code{machine-id}: fetch the UUID from @code{/etc/machine-id}
@end itemize
If @code{dmidecode} does not provide a valid UUID a temporary UUID will
be generated.
-Defaults to @samp{"smbios"}.
-
-@end deftypevr
-
-@deftypevr {@code{libvirt-configuration} parameter} integer keepalive-interval
+@item @code{keepalive-interval} (default: @code{5}) (type: integer)
A keepalive message is sent to a client after @code{keepalive_interval}
seconds of inactivity to check if the client is still responding. If
set to -1, libvirtd will never send keepalive requests; however clients
can still send them and the daemon will send responses.
-Defaults to @samp{5}.
-
-@end deftypevr
-
-@deftypevr {@code{libvirt-configuration} parameter} integer keepalive-count
+@item @code{keepalive-count} (default: @code{5}) (type: integer)
Maximum number of keepalive messages that are allowed to be sent to the
client without getting any response before the connection is considered
-broken.
-
-In other words, the connection is automatically closed approximately
-after @code{keepalive_interval * (keepalive_count + 1)} seconds since
-the last message received from the client. When @code{keepalive-count}
-is set to 0, connections will be automatically closed after
-@code{keepalive-interval} seconds of inactivity without sending any
-keepalive messages.
-
-Defaults to @samp{5}.
-
-@end deftypevr
-
-@deftypevr {@code{libvirt-configuration} parameter} integer admin-keepalive-interval
+broken. In other words, the connection is automatically closed
+approximately after @code{keepalive_interval * (keepalive_count + 1)}
+seconds since the last message received from the client. When
+@code{keepalive-count} is set to 0, connections will be automatically
+closed after @code{keepalive-interval} seconds of inactivity without
+sending any keepalive messages.
+
+@item @code{admin-keepalive-interval} (default: @code{5}) (type: integer)
Same as above but for admin interface.
-Defaults to @samp{5}.
-
-@end deftypevr
-
-@deftypevr {@code{libvirt-configuration} parameter} integer admin-keepalive-count
+@item @code{admin-keepalive-count} (default: @code{5}) (type: integer)
Same as above but for admin interface.
-Defaults to @samp{5}.
-
-@end deftypevr
-
-@deftypevr {@code{libvirt-configuration} parameter} integer ovs-timeout
-Timeout for Open vSwitch calls.
+@item @code{ovs-timeout} (default: @code{5}) (type: integer)
+Timeout for Open vSwitch calls. The @code{ovs-vsctl} utility is used
+for the configuration and its timeout option is set by default to 5
+seconds to avoid potential infinite waits blocking libvirt.
-The @code{ovs-vsctl} utility is used for the configuration and its
-timeout option is set by default to 5 seconds to avoid potential
-infinite waits blocking libvirt.
-
-Defaults to @samp{5}.
-
-@end deftypevr
-
-@c %end of autogenerated docs
+@end table
+@end deftp
+@c %end of fragment
@subsubheading Virtlog daemon
The virtlogd service is a server side daemon component of libvirt that is
diff --git a/gnu/services/virtualization.scm b/gnu/services/virtualization.scm
index 555c0be55e..40dad7dc1e 100644
--- a/gnu/services/virtualization.scm
+++ b/gnu/services/virtualization.scm
@@ -7,6 +7,7 @@
;;; Copyright © 2022 Leo Nikkilä <hello <at> lnikki.la>
;;; Copyright © 2023 Efraim Flashner <efraim <at> flashner.co.il>
;;; Copyright © 2024 Raven Hallsby <karl <at> hallsby.com>
+;;; Copyright © 2025 Maxim Cournoyer <maxim.cournoyer <at> gmail.com>
;;;
;;; This file is part of GNU Guix.
;;;
@@ -29,6 +30,7 @@ (define-module (gnu services virtualization)
#:use-module (gnu image)
#:use-module (gnu packages admin)
#:use-module (gnu packages bash)
+ #:use-module (gnu packages firmware)
#:use-module (gnu packages gdb)
#:autoload (gnu packages gnupg) (guile-gcrypt)
#:use-module (gnu packages package-management)
@@ -107,6 +109,7 @@ (define-module (gnu services virtualization)
libvirt-configuration-ca-file
libvirt-configuration-cert-file
libvirt-configuration-crl-file
+ libvirt-configuration-firmwares
libvirt-configuration-host-uuid
libvirt-configuration-host-uuid-source
libvirt-configuration-keepalive-count
@@ -205,6 +208,9 @@ (define (serialize-optional-string field-name val)
(format #t "# ~a = \"\"\n" (uglify-field-name field-name))
(serialize-string field-name val)))
+(define list-of-file-likes?
+ (list-of file-like?))
+
(define-configuration libvirt-configuration
(libvirt
(file-like libvirt)
@@ -212,7 +218,12 @@ (define-configuration libvirt-configuration
(qemu
(file-like qemu)
"Qemu package.")
-
+ (firmwares
+ (list-of-file-likes (list ovmf-x86-64))
+ "List of UEFI/BIOS firmware packages to make available. Each firmware
+package should contain a @file{share/qemu/firmware/@var{NAME}.json} QEMU
+firmware metadata file."
+ (serializer empty-serializer))
(listen-tls?
(boolean #t)
"Flag listening for secure TLS connections on the public TCP/IP port.
@@ -540,7 +551,6 @@ (define (%libvirt-activation config)
(use-modules (guix build utils))
(mkdir-p #$sock-dir))))
-
(define (libvirt-shepherd-service config)
(let* ((config-file (libvirt-conf-file config))
(libvirt (libvirt-configuration-libvirt config))
@@ -553,7 +563,8 @@ (define (libvirt-shepherd-service config)
(list (string-append #$libvirt "/sbin/libvirtd")
"-f" #$config-file
#$@(if listen-tcp? '("--listen") '()))
- ;; For finding qemu, ip binaries and kernel modules.
+ ;; For finding qemu, firmwares, the 'ip' command and
+ ;; kernel modules.
#:environment-variables
(list
(string-append
@@ -564,29 +575,45 @@ (define (libvirt-shepherd-service config)
"/run/booted-system/kernel/lib/modules"))))
(stop #~(make-kill-destructor))))))
+(define (/etc/qemu/firmware config)
+ (let ((firmwares (libvirt-configuration-firmwares config)))
+ `(("qemu"
+ ,(computed-file
+ "etc-qemu-firmware"
+ (with-imported-modules '((guix build union))
+ #~(begin
+ (use-modules (guix build union) (srfi srfi-26))
+ (mkdir #$output)
+ (union-build (string-append #$output "/firmware")
+ (map (cut string-append <> "/share/qemu/firmware")
+ (list #$@firmwares))))))))))
+
(define libvirt-service-type
- (service-type (name 'libvirt)
- (extensions
- (list
- (service-extension polkit-service-type
- (compose list libvirt-configuration-libvirt))
- (service-extension profile-service-type
- (lambda (config)
- (list
- (libvirt-configuration-libvirt config)
- (libvirt-configuration-qemu config))))
- (service-extension activation-service-type
- %libvirt-activation)
- (service-extension shepherd-root-service-type
- libvirt-shepherd-service)
- (service-extension account-service-type
- (const %libvirt-accounts))))
- (default-value (libvirt-configuration))
- (description "Run @command{libvirtd}, a daemon of the libvirt
+ (service-type
+ (name 'libvirt)
+ (extensions
+ (list
+ (service-extension polkit-service-type
+ (compose list libvirt-configuration-libvirt))
+ (service-extension profile-service-type
+ (lambda (config)
+ (list (libvirt-configuration-libvirt config)
+ (libvirt-configuration-qemu config))))
+ ;; Libvirt only considers the $libvirt/share/qemu/firmware and
+ ;; /etc/qemu/firmware directories to locate the QEMU firmware metadata
+ ;; specifications.
+ (service-extension etc-service-type /etc/qemu/firmware)
+ (service-extension activation-service-type
+ %libvirt-activation)
+ (service-extension shepherd-root-service-type
+ libvirt-shepherd-service)
+ (service-extension account-service-type
+ (const %libvirt-accounts))))
+ (default-value (libvirt-configuration))
+ (description "Run @command{libvirtd}, a daemon of the libvirt
virtualization management system. This daemon runs on host servers and
performs required management tasks for virtualized guests.")))
-
(define-record-type* <virtlog-configuration>
virtlog-configuration make-virtlog-configuration
virtlog-configuration?
@@ -638,11 +665,6 @@ (define virtlog-service-type
(description "Run @command{virtlogd}, a daemon libvirt that is
used to manage logs from @acronym{VM, virtual machine} consoles.")))
-(define (generate-libvirt-documentation)
- (generate-documentation
- `((libvirt-configuration ,libvirt-configuration-fields))
- 'libvirt-configuration))
-
;;;
;;; Transparent QEMU emulation via binfmt_misc.
diff --git a/gnu/tests/virtualization.scm b/gnu/tests/virtualization.scm
index a3c9c4014b..e08f66eb28 100644
--- a/gnu/tests/virtualization.scm
+++ b/gnu/tests/virtualization.scm
@@ -4,6 +4,7 @@
;;; Copyright © 2020 Jan (janneke) Nieuwenhuizen <janneke <at> gnu.org>
;;; Copyright © 2021 Pierre Langlois <pierre.langlois <at> gmx.com>
;;; Copyright © 2022 Marius Bakke <marius <at> gnu.org>
+;;; Copyright © 2025 Maxim Cournoyer <maxim.cournoyer <at> gmail.com>
;;;
;;; This file is part of GNU Guix.
;;;
@@ -69,7 +70,8 @@ (define (run-libvirt-test)
(define vm
(virtual-machine
(operating-system os)
- (port-forwardings '())))
+ (port-forwardings '())
+ (memory-size 512)))
(define test
(with-imported-modules '((gnu build marionette))
@@ -135,6 +137,35 @@ (define (run-libvirt-test)
"-c" "qemu:///system" "net-start" "default"))
marionette))
+ (test-assert "configured firmwares are available to libvirt"
+ (marionette-eval
+ '(begin
+ (use-modules (ice-9 popen)
+ (ice-9 textual-ports)
+ (srfi srfi-1)
+ (srfi srfi-26))
+ (let* ((conf-firmwares (list #$@(libvirt-configuration-firmwares
+ (libvirt-configuration))))
+ (virsh #$(file-append libvirt "/bin/virsh"))
+ (input-pipe (open-pipe*
+ OPEN_READ
+ virsh "-c" "qemu:///system"
+ "domcapabilities" "--xpath"
+ "/domainCapabilities/os/loader/value/text()"))
+ (output (get-string-all input-pipe))
+ (found-firmwares (string-split (string-trim-both output)
+ #\newline)))
+ (close-pipe input-pipe)
+ ;; Check that every configured firmware package is covered
+ ;; by at least by one firmware file available to libvirt.
+ (every (lambda (conf-firmware)
+ ;; The firmwares listed by virsh contains their
+ ;; full file names, not just their package output.
+ (any (cut string-prefix? conf-firmware <>)
+ found-firmwares))
+ conf-firmwares)))
+ marionette))
+
(test-end))))
(gexp->derivation "libvirt-test" test))
--
2.48.1
guix-patches <at> gnu.org:bug#77110; Package guix-patches.
(Wed, 19 Mar 2025 15:08:02 GMT) Full text and rfc822 format available.Message #14 received at 77110 <at> debbugs.gnu.org (full text, mbox):
From: Efraim Flashner <efraim <at> flashner.co.il> To: Maxim Cournoyer <maxim.cournoyer <at> gmail.com> Cc: Vagrant Cascadian <vagrant <at> debian.org>, 77110 <at> debbugs.gnu.org Subject: Re: [bug#77110] [PATCH 1/2] gnu: ovmf-x86-64: Install QEMU firmware metadata file. Date: Wed, 19 Mar 2025 17:03:14 +0200
[Message part 1 (text/plain, inline)]
51-edk2-ovmf-2m-raw-x64-nosb.json is very similar to a file shipped by
qemu, in the sources in pc-bios/descriptors¹.
On Wed, Mar 19, 2025 at 09:45:12PM +0900, Maxim Cournoyer wrote:
> * gnu/packages/firmware.scm (ovmf-x86-64)
> [phases] {install-qemu-firmware-metadata}: New phase.
> (ovmf-aux-file): New procedure.
> * gnu/packages/aux-files/ovmf/51-edk2-ovmf-2m-raw-x64-nosb.json: New file.
> * Makefile.am (AUX_FILES): Register it.
>
> Change-Id: I301eac8b79aed523f3b4cdedb7b3925d8fd0ad3d
> ---
>
> Makefile.am | 1 +
> .../ovmf/51-edk2-ovmf-2m-raw-x64-nosb.json | 36 +++++++++++++++++++
> gnu/packages/firmware.scm | 24 ++++++++++++-
> 3 files changed, 60 insertions(+), 1 deletion(-)
> create mode 100644 gnu/packages/aux-files/ovmf/51-edk2-ovmf-2m-raw-x64-nosb.json
>
> diff --git a/Makefile.am b/Makefile.am
> index c668b96a37..f2f4a9643e 100644
> --- a/Makefile.am
> +++ b/Makefile.am
> @@ -472,6 +472,7 @@ AUX_FILES = \
> gnu/packages/aux-files/linux-libre/5.4-arm64.conf \
> gnu/packages/aux-files/linux-libre/5.4-i686.conf \
> gnu/packages/aux-files/linux-libre/5.4-x86_64.conf \
> + gnu/packages/aux-files/ovmf/51-edk2-ovmf-2m-raw-x64-nosb.json \
> gnu/packages/aux-files/pack-audit.c \
> gnu/packages/aux-files/python/sanity-check.py \
> gnu/packages/aux-files/python/sitecustomize.py \
> diff --git a/gnu/packages/aux-files/ovmf/51-edk2-ovmf-2m-raw-x64-nosb.json b/gnu/packages/aux-files/ovmf/51-edk2-ovmf-2m-raw-x64-nosb.json
> new file mode 100644
> index 0000000000..050853e2b8
> --- /dev/null
> +++ b/gnu/packages/aux-files/ovmf/51-edk2-ovmf-2m-raw-x64-nosb.json
> @@ -0,0 +1,36 @@
> +{
> + "description": "OVMF without SB+SMM, empty varstore",
> + "interface-types": [
> + "uefi"
> + ],
> + "mapping": {
> + "device": "flash",
> + "mode" : "split",
> + "executable": {
> + "filename": "/usr/share/edk2/ovmf/OVMF_CODE.fd",
> + "format": "raw"
> + },
> + "nvram-template": {
> + "filename": "/usr/share/edk2/ovmf/OVMF_VARS.fd",
> + "format": "raw"
> + }
> + },
> + "targets": [
> + {
> + "architecture": "x86_64",
> + "machines": [
> + "pc-i440fx-*",
> + "pc-q35-*"
> + ]
> + }
> + ],
> + "features": [
> + "acpi-s3",
> + "amd-sev",
> + "amd-sev-es",
> + "verbose-dynamic"
> + ],
> + "tags": [
> +
> + ]
> +}
> diff --git a/gnu/packages/firmware.scm b/gnu/packages/firmware.scm
> index 63f767f72b..c1d8ba3719 100644
> --- a/gnu/packages/firmware.scm
> +++ b/gnu/packages/firmware.scm
> @@ -1001,6 +1001,10 @@ (define* (make-ovmf-firmware arch)
> (license (list license:expat
> license:bsd-2 license:bsd-3 license:bsd-4)))))
>
> +(define (ovmf-aux-file name)
> + "Return as a gexp the auxiliary OVMF file corresponding to NAME."
> + (local-file (search-auxiliary-file (string-append "ovmf/" name))))
> +
> (define-public ovmf-x86-64
> (let ((base (make-ovmf-firmware "x86_64")))
> (package
> @@ -1022,7 +1026,25 @@ (define-public ovmf-x86-64
> (string-append fmw "/" (string-downcase file) "_x64.bin")))
> (list "OVMF"
> "OVMF_CODE"
> - "OVMF_VARS"))))))))))))
> + "OVMF_VARS")))))
These 3 files we rename from OVMF* to ovmf*_x64.bin, but based on
roms/edk2-build.config from the qemu sources² OVMF_CODE would become
edk2-x86_64-code.fd. I think we should standardize on using Qemu's
naming scheme for the files.
Also we currently install these files to %output/share/firmware and
there are other files we install to %output/share/qemu and we should
probably standardize between them.
> + (add-after 'install 'install-qemu-firmware-metadata
> + (lambda _
> + ;; The QEMU firmware metadata files are taken from the
> + ;; Fedora project (see:
> + ;; https://src.fedoraproject.org/rpms/edk2/tree/rawhide).
> + (let ((51-edk2-ovmf-2m-raw-x64-nosb.json-source
> + #$(ovmf-aux-file "51-edk2-ovmf-2m-raw-x64-nosb.json"))
> + (51-edk2-ovmf-2m-raw-x64-nosb.json-dest
> + (string-append #$output "/share/qemu/firmware/"
> + "51-edk2-ovmf-2m-raw-x64-nosb.json")))
> + (mkdir-p (dirname 51-edk2-ovmf-2m-raw-x64-nosb.json-dest))
> + (copy-file 51-edk2-ovmf-2m-raw-x64-nosb.json-source
> + 51-edk2-ovmf-2m-raw-x64-nosb.json-dest)
> + (substitute* 51-edk2-ovmf-2m-raw-x64-nosb.json-dest
> + (("/usr/share/edk2/ovmf/OVMF_(CODE|VARS).fd" _ kind)
> + (string-append
> + #$output "/share/firmware/ovmf_"
> + (string-downcase kind) "_x64.bin")))))))))))))
Would it be possible to instead use the search-path to find the
firmwares or is that not really possible?
>
> (define-public ovmf-i686
> (let ((base (make-ovmf-firmware "i686")))
>
> base-commit: fa39695bbc0c5f79838cbca55d55eebd821a8efa
> --
> 2.48.1
>
¹ https://gitlab.com/qemu-project/qemu/-/blob/v9.1.3/pc-bios/descriptors/60-edk2-x86_64.json
² https://gitlab.com/qemu-project/qemu/-/blob/v9.1.3/roms/edk2-build.config#L62
--
Efraim Flashner <efraim <at> flashner.co.il> אפרים פלשנר
GPG key = A28B F40C 3E55 1372 662D 14F7 41AA E7DC CA3D 8351
Confidentiality cannot be guaranteed on emails sent or received unencrypted
[signature.asc (application/pgp-signature, inline)]
guix-patches <at> gnu.org:bug#77110; Package guix-patches.
(Thu, 20 Mar 2025 06:49:02 GMT) Full text and rfc822 format available.Message #17 received at 77110 <at> debbugs.gnu.org (full text, mbox):
From: Maxim Cournoyer <maxim.cournoyer <at> gmail.com> To: Efraim Flashner <efraim <at> flashner.co.il> Cc: Vagrant Cascadian <vagrant <at> debian.org>, 77110 <at> debbugs.gnu.org Subject: Re: [bug#77110] [PATCH 1/2] gnu: ovmf-x86-64: Install QEMU firmware metadata file. Date: Thu, 20 Mar 2025 15:48:34 +0900
Hi Efraim,
Efraim Flashner <efraim <at> flashner.co.il> writes:
> 51-edk2-ovmf-2m-raw-x64-nosb.json is very similar to a file shipped by
> qemu, in the sources in pc-bios/descriptors¹.
Indeed, I found out the firmwares currently bundled with QEMU (see
bug#77092) come with firmware descriptors. Are you suggesting we use
these instead? I don't mind too much, except that's a lot of source to
unpack to grab a template file, which seems inefficient to me, and that
accessing source archives is a bit annoying currently in Guix (because
it may be a tarball, or a directory, or it may change if patches get
later added... but that's an issue for another time).
[...]
>> diff --git a/gnu/packages/firmware.scm b/gnu/packages/firmware.scm
>> index 63f767f72b..c1d8ba3719 100644
>> --- a/gnu/packages/firmware.scm
>> +++ b/gnu/packages/firmware.scm
>> @@ -1001,6 +1001,10 @@ (define* (make-ovmf-firmware arch)
>> (license (list license:expat
>> license:bsd-2 license:bsd-3 license:bsd-4)))))
>>
>> +(define (ovmf-aux-file name)
>> + "Return as a gexp the auxiliary OVMF file corresponding to NAME."
>> + (local-file (search-auxiliary-file (string-append "ovmf/" name))))
>> +
>> (define-public ovmf-x86-64
>> (let ((base (make-ovmf-firmware "x86_64")))
>> (package
>> @@ -1022,7 +1026,25 @@ (define-public ovmf-x86-64
>> (string-append fmw "/" (string-downcase file) "_x64.bin")))
>> (list "OVMF"
>> "OVMF_CODE"
>> - "OVMF_VARS"))))))))))))
>> + "OVMF_VARS")))))
>
> These 3 files we rename from OVMF* to ovmf*_x64.bin, but based on
> roms/edk2-build.config from the qemu sources² OVMF_CODE would become
> edk2-x86_64-code.fd. I think we should standardize on using Qemu's
> naming scheme for the files.
I think we should go ever farther and standardize on *not* renaming them
at all. This would remove the arbitrary nature of renaming them to
something else that is bound to surprise users. On most distributions
they are kept under their original names. The JSON firmware
metadata/descriptors files can refer to any name anyway, so outside of
following conventions, the name is not too important.
But I'd prefer to keep this renaming business for another time, perhaps
when I get to add more UEFI firmware variants (at which point it may be
more efficient to build them all at once and split them in various
outputs).
> Also we currently install these files to %output/share/firmware and
> there are other files we install to %output/share/qemu and we should
> probably standardize between them.
The location of the files should match the prevalent convention, which I
think is share/firmware. QEMU firmware metadata files on the other hand
must be under share/qemu/firmware/, as this is where libvirt expects to
find them (actually it won't because we aren't FHS, but that's where it
would otherwise :-)).
>> + (add-after 'install 'install-qemu-firmware-metadata
>> + (lambda _
>> + ;; The QEMU firmware metadata files are taken from the
>> + ;; Fedora project (see:
>> + ;; https://src.fedoraproject.org/rpms/edk2/tree/rawhide).
>> + (let ((51-edk2-ovmf-2m-raw-x64-nosb.json-source
>> + #$(ovmf-aux-file "51-edk2-ovmf-2m-raw-x64-nosb.json"))
>> + (51-edk2-ovmf-2m-raw-x64-nosb.json-dest
>> + (string-append #$output "/share/qemu/firmware/"
>> + "51-edk2-ovmf-2m-raw-x64-nosb.json")))
>> + (mkdir-p (dirname 51-edk2-ovmf-2m-raw-x64-nosb.json-dest))
>> + (copy-file 51-edk2-ovmf-2m-raw-x64-nosb.json-source
>> + 51-edk2-ovmf-2m-raw-x64-nosb.json-dest)
>> + (substitute* 51-edk2-ovmf-2m-raw-x64-nosb.json-dest
>> + (("/usr/share/edk2/ovmf/OVMF_(CODE|VARS).fd" _ kind)
>> + (string-append
>> + #$output "/share/firmware/ovmf_"
>> + (string-downcase kind) "_x64.bin")))))))))))))
>
> Would it be possible to instead use the search-path to find the
> firmwares or is that not really possible?
Libvirt has no search path for that. IIRC, it uses
$XDG_CONFIG_HOME/qemu/firmware if you run it as a simple user, and
otherwise /usr/share/qemu/firmware on FHS, with /etc/qemu/firmware as a
fallback to discover the firmware metadata files for QEMU.
--
Thanks,
Maxim
guix-patches <at> gnu.org:bug#77110; Package guix-patches.
(Thu, 20 Mar 2025 10:55:02 GMT) Full text and rfc822 format available.Message #20 received at 77110 <at> debbugs.gnu.org (full text, mbox):
From: Efraim Flashner <efraim <at> flashner.co.il> To: Maxim Cournoyer <maxim.cournoyer <at> gmail.com> Cc: Vagrant Cascadian <vagrant <at> debian.org>, 77110 <at> debbugs.gnu.org Subject: Re: [bug#77110] [PATCH 1/2] gnu: ovmf-x86-64: Install QEMU firmware metadata file. Date: Thu, 20 Mar 2025 12:54:05 +0200
[Message part 1 (text/plain, inline)]
On Thu, Mar 20, 2025 at 03:48:34PM +0900, Maxim Cournoyer wrote:
> Hi Efraim,
>
> Efraim Flashner <efraim <at> flashner.co.il> writes:
>
> > 51-edk2-ovmf-2m-raw-x64-nosb.json is very similar to a file shipped by
> > qemu, in the sources in pc-bios/descriptors¹.
>
> Indeed, I found out the firmwares currently bundled with QEMU (see
> bug#77092) come with firmware descriptors. Are you suggesting we use
> these instead? I don't mind too much, except that's a lot of source to
> unpack to grab a template file, which seems inefficient to me, and that
> accessing source archives is a bit annoying currently in Guix (because
> it may be a tarball, or a directory, or it may change if patches get
> later added... but that's an issue for another time).
It looks like they're also installed in $out/share/qemu/firmware. At
that point they have their paths pointing to qemu's location for the
firmware, but we could change that at build time to point to firmware
we've built or as part of a service to point to a different location.
Reminding myself again that we're looking at the firmware itself, I
think we shouldn't install a VM configuration file as part of the
firmware.
> [...]
>
> >> diff --git a/gnu/packages/firmware.scm b/gnu/packages/firmware.scm
> >> index 63f767f72b..c1d8ba3719 100644
> >> --- a/gnu/packages/firmware.scm
> >> +++ b/gnu/packages/firmware.scm
> >> @@ -1001,6 +1001,10 @@ (define* (make-ovmf-firmware arch)
> >> (license (list license:expat
> >> license:bsd-2 license:bsd-3 license:bsd-4)))))
> >>
> >> +(define (ovmf-aux-file name)
> >> + "Return as a gexp the auxiliary OVMF file corresponding to NAME."
> >> + (local-file (search-auxiliary-file (string-append "ovmf/" name))))
> >> +
> >> (define-public ovmf-x86-64
> >> (let ((base (make-ovmf-firmware "x86_64")))
> >> (package
> >> @@ -1022,7 +1026,25 @@ (define-public ovmf-x86-64
> >> (string-append fmw "/" (string-downcase file) "_x64.bin")))
> >> (list "OVMF"
> >> "OVMF_CODE"
> >> - "OVMF_VARS"))))))))))))
> >> + "OVMF_VARS")))))
> >
> > These 3 files we rename from OVMF* to ovmf*_x64.bin, but based on
> > roms/edk2-build.config from the qemu sources² OVMF_CODE would become
> > edk2-x86_64-code.fd. I think we should standardize on using Qemu's
> > naming scheme for the files.
>
> I think we should go ever farther and standardize on *not* renaming them
> at all. This would remove the arbitrary nature of renaming them to
> something else that is bound to surprise users. On most distributions
> they are kept under their original names. The JSON firmware
> metadata/descriptors files can refer to any name anyway, so outside of
> following conventions, the name is not too important.
>
> But I'd prefer to keep this renaming business for another time, perhaps
> when I get to add more UEFI firmware variants (at which point it may be
> more efficient to build them all at once and split them in various
> outputs).
Sounds like a good idea.
> > Also we currently install these files to %output/share/firmware and
> > there are other files we install to %output/share/qemu and we should
> > probably standardize between them.
>
> The location of the files should match the prevalent convention, which I
> think is share/firmware. QEMU firmware metadata files on the other hand
> must be under share/qemu/firmware/, as this is where libvirt expects to
> find them (actually it won't because we aren't FHS, but that's where it
> would otherwise :-)).
>
> >> + (add-after 'install 'install-qemu-firmware-metadata
> >> + (lambda _
> >> + ;; The QEMU firmware metadata files are taken from the
> >> + ;; Fedora project (see:
> >> + ;; https://src.fedoraproject.org/rpms/edk2/tree/rawhide).
> >> + (let ((51-edk2-ovmf-2m-raw-x64-nosb.json-source
> >> + #$(ovmf-aux-file "51-edk2-ovmf-2m-raw-x64-nosb.json"))
> >> + (51-edk2-ovmf-2m-raw-x64-nosb.json-dest
> >> + (string-append #$output "/share/qemu/firmware/"
> >> + "51-edk2-ovmf-2m-raw-x64-nosb.json")))
> >> + (mkdir-p (dirname 51-edk2-ovmf-2m-raw-x64-nosb.json-dest))
> >> + (copy-file 51-edk2-ovmf-2m-raw-x64-nosb.json-source
> >> + 51-edk2-ovmf-2m-raw-x64-nosb.json-dest)
> >> + (substitute* 51-edk2-ovmf-2m-raw-x64-nosb.json-dest
> >> + (("/usr/share/edk2/ovmf/OVMF_(CODE|VARS).fd" _ kind)
> >> + (string-append
> >> + #$output "/share/firmware/ovmf_"
> >> + (string-downcase kind) "_x64.bin")))))))))))))
> >
> > Would it be possible to instead use the search-path to find the
> > firmwares or is that not really possible?
>
> Libvirt has no search path for that. IIRC, it uses
> $XDG_CONFIG_HOME/qemu/firmware if you run it as a simple user, and
> otherwise /usr/share/qemu/firmware on FHS, with /etc/qemu/firmware as a
> fallback to discover the firmware metadata files for QEMU.
The libvirt service does have a qemu field. Perhaps we could make use of
that somehow?
> --
> Thanks,
> Maxim
--
Efraim Flashner <efraim <at> flashner.co.il> אפרים פלשנר
GPG key = A28B F40C 3E55 1372 662D 14F7 41AA E7DC CA3D 8351
Confidentiality cannot be guaranteed on emails sent or received unencrypted
[signature.asc (application/pgp-signature, inline)]
guix-patches <at> gnu.org:bug#77110; Package guix-patches.
(Thu, 20 Mar 2025 14:37:01 GMT) Full text and rfc822 format available.Message #23 received at 77110 <at> debbugs.gnu.org (full text, mbox):
From: Maxim Cournoyer <maxim.cournoyer <at> gmail.com> To: Efraim Flashner <efraim <at> flashner.co.il> Cc: Vagrant Cascadian <vagrant <at> debian.org>, 77110 <at> debbugs.gnu.org Subject: Re: [bug#77110] [PATCH 1/2] gnu: ovmf-x86-64: Install QEMU firmware metadata file. Date: Thu, 20 Mar 2025 23:36:27 +0900
Hi Efraim, Efraim Flashner <efraim <at> flashner.co.il> writes: > On Thu, Mar 20, 2025 at 03:48:34PM +0900, Maxim Cournoyer wrote: >> Hi Efraim, >> >> Efraim Flashner <efraim <at> flashner.co.il> writes: >> >> > 51-edk2-ovmf-2m-raw-x64-nosb.json is very similar to a file shipped by >> > qemu, in the sources in pc-bios/descriptors¹. >> >> Indeed, I found out the firmwares currently bundled with QEMU (see >> bug#77092) come with firmware descriptors. Are you suggesting we use >> these instead? I don't mind too much, except that's a lot of source to >> unpack to grab a template file, which seems inefficient to me, and that >> accessing source archives is a bit annoying currently in Guix (because >> it may be a tarball, or a directory, or it may change if patches get >> later added... but that's an issue for another time). > > It looks like they're also installed in $out/share/qemu/firmware. At > that point they have their paths pointing to qemu's location for the > firmware, but we could change that at build time to point to firmware > we've built or as part of a service to point to a different location. > > Reminding myself again that we're looking at the firmware itself, I > think we shouldn't install a VM configuration file as part of the > firmware. That's what most distributions appears to do, for example Fedora [0], and it makes sense to me. QEMU itself should come without firmwares if we want to keep its size in check, and it can't include the descriptor files if it doesn't ship the firmware as the descriptor files reference the file names (well, we could point to some place where they eventually land, and have this provisioned by a service, but that's inelegant). [0] https://src.fedoraproject.org/rpms/edk2/blob/rawhide/f/edk2.spec#_569 [...] >> Libvirt has no search path for that. IIRC, it uses >> $XDG_CONFIG_HOME/qemu/firmware if you run it as a simple user, and >> otherwise /usr/share/qemu/firmware on FHS, with /etc/qemu/firmware as a >> fallback to discover the firmware metadata files for QEMU. > > The libvirt service does have a qemu field. Perhaps we could make use of > that somehow? It's useful to have qemu a distinct field to firmwares; it points to the qemu package/binary used by libvirt while firmwares allow you to specify which firmware files are made available. Note that since QEMU currently bundles many firmwares with their descriptors, you can currently add 'qemu' to the list of firmwares and it'll make them available to libvirt (though I wouldn't advertise this too much as the goal should be to move them to their own distinct packages). -- Thanks, Maxim
Maxim Cournoyer <maxim.cournoyer <at> gmail.com>:Maxim Cournoyer <maxim.cournoyer <at> gmail.com>:Message #28 received at 77110-done <at> debbugs.gnu.org (full text, mbox):
From: Maxim Cournoyer <maxim.cournoyer <at> gmail.com> To: Efraim Flashner <efraim <at> flashner.co.il> Cc: Vagrant Cascadian <vagrant <at> debian.org>, 77110-done <at> debbugs.gnu.org Subject: Re: [bug#77110] [PATCH 1/2] gnu: ovmf-x86-64: Install QEMU firmware metadata file. Date: Thu, 27 Mar 2025 21:23:50 +0900
Hi, I've now applied this series, thank you for reviewing it! -- Thanks, Maxim
Debbugs Internal Request <help-debbugs <at> gnu.org>
to internal_control <at> debbugs.gnu.org.
(Fri, 25 Apr 2025 11:24:06 GMT) Full text and rfc822 format available.
GNU bug tracking system
Copyright (C) 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson.